Brand impersonation: Google Meet with malicious link

 1name: "Brand impersonation: Google Meet with malicious link"
 2description: "Detects messages with 'Join with Google Meet' display text that redirects to domains other than meet.google.com."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(body.current_thread.links,
 8          .display_text == "Join with Google Meet"
 9          and not strings.contains(.href_url.domain.domain, "meet.google.com")
10  )
11  and (
12    // finding the logo tag in the html
13    any(html.xpath(body.html, '//img[@alt="[Optional Logo]"]').nodes,
14        .raw is not null
15    )
16    // OR find the green button
17    or any(html.xpath(body.html, '//a[contains(@style, "rgb(52,168,83)")]').nodes,
18           .display_text == "Join with Google Meet"
19    )
20  )
21  // finding the "Guests"/"Join by phone" tables NOT being present in the message is a good way to filter out the legit messages. 
22  and length(html.xpath(body.html,
23                        '//table/tbody/tr/td/h2[contains(@style, "color:rgb(60,64,67)")]'
24             ).nodes
25  ) == 0
26  // we're filtering out some more "generic" table heading for google meets with this one
27  and not any(distinct(map(html.xpath(body.html, '//table//h2').nodes,
28                           .inner_text
29                       )
30              ),
31              . in ("Meeting link", "Join by phone", "Guests")
32  )  
33attack_types:
34  - "Credential Phishing"
35tactics_and_techniques:
36  - "Impersonation: Brand"
37  - "Social engineering"
38detection_methods:
39  - "Content analysis"
40  - "URL analysis"
41id: "d488d85a-fb02-5b40-a902-03ba0784ad35"